The Productive (and destructive) Power of the Internet of Things
“Innovation is just creativity applied with technology” — Joshua J S Morley
This sentiment is as important in cyber as it every will be because the nature of any kind of security is that malicious actors will always be trying to find more and more innovative ways of breaking through defences put in place by the good guys and its security professionals job to come up with the creative ways of patching any vulnerabilities that could be breached. But there lies a problem, that the defenders need to protect against hundreds, thousands or more flaws in their defences whereas the attackers may only need to successfully hit 1 flaw.
This post is going to be exploring the productive power of the internet of things, but also identifying that the internet of things has a highly destructive power too. The article will conclude with some hints on some vital ways of securing IoT devices and infrastructure.
The internet of things brings enormous opportunity that sometimes people outside the industries may not register, its funny reading a lot of misguided comments about the IoT made by people who maybe don’t understand that the internet of things is so much more than a smart coffee machine hooked up to your bash terminal.
Estimates from Juniper Research place the total number of current IoT devices and actuators at around 46 billion, this Internet of Things landscape is comprised of around 55% consumer devices, and 45% enterprise.
That’s a lot of devices, so what are they all doing?
IoT is being used to actively improve the standard of life and help stop unnecessary deaths all around the world. In agriculture the internet of things is helping farmers grow the same yield, but with 40% less water and fertilizer, I’m not even going to go into smart farms, hydroponics or vertical farms all enabled by the IoT. Biometric devices are being used for detection in healthcare for everything from breast cancer through a smart bra to non invasive biometric monitoring and fall detection in aged homes. The IoT is being used by governments and councils around the world to get deep understanding of pollution of air and water to try minimise the 9 million deaths seen a year resulting from pollution of air and water. And IoT is being used by mining companies around the world to optimise maintenance and production and in the process saving them or making them additional tens of millions a year.
A 2018 report published by PwC in collaboration with the ACS (that I helped author) shows us the staggering figures and potential impact for additional revenue the internet of things will have on the Australian economy.
We can see IoT has a potential impact of just under 200 billion to just over 300 billion over the next 4 to 14 years in Australia
But while the internet of things is productively powerful, its also destructively powerful; In security we’ve always been concerned about having our systems breached, but how much more destructive power can a breached system have if the impacted system is attached to our hearts, or controlling a car full of our friends and families. It’s a horrifying thought, but these are both real world examples
465 000 pacemakers were found to be vulnerable to exploitation where malicious actors could control the pacemaker, changing the pace, making it rapidly discharge its power, or even administering shocks to the persons heart. Several jeep models were demonstrated to be remotely hackable and controllable, including steering and breaking the cars and A casino had 10GB of data including high-roller data exfiltrated after their networks were breached via the fish tank thermometer.
When we think about the amount of processing power of IoT devices, we don’t think significant. But when millions of devices are combined, its power is enormously destructive, this became evident through the Mirai botnet, a botnet comprised of smart devices that in 2016 was used to launch the largest DDoS attack in history to that point, targeting the DNS provider Dyn. This IoT botnet denied service to huge global companies such as Spotify, reddit and twitter and at its peak was hammering Dyn with 1.2TB of data per second Even now, 6 years later, it remains the 6th largest DDoS attack in history when looking at peak bit rates. That is some pretty awesome destructive power
So how do we go from a small microcontroller sitting inside Jeremy’s smart toaster, to a DDoS with 1.2TB of data per second? One factor is that insecure IoT devices widen the attack surface that malicious actors can infiltrate and exploit, it just takes 1 unsecure device with an internet facing connection for a hacker to get into that network, and once in, how secure are the rest of the devices on connected networks? Insecure IoT devices can be used to access systems that are not internet facing, an example of this is the casino hack where the fish tanks thermometer was used to enter the network and then access and exfiltrate 10GB of data including high roller database items.
But there is also the data to consider, thanks to smart devices, a hacker can gain access to thousands of additional data points that were never available in the past. It doesn’t even need to be a hacker, because sometimes companies will unwittingly do the hard work for them. Strava released activity tracking information gathered from fitness trackers and smartphones that allowed the public to see detailed routes travelled around the world. Including detailed foot traffic paths of forward operating military bases in the middle east. Oops.
So how can we secure against becoming one of the botnets bots, widening up our systems attack surface, or providing malicious actors a ridiculous number of datapoints? At an overarching level its not actually that difficult and it follows many of the security principles we’ve known for some time.
· Abide by Australian Signals Directory’s (ASD) “essential 8”
· Abide by password best practices
· And abide by device securing best practices
ASD Essential 8
The ASD Essential 8 are the successors to the ASD’s former ‘top 4 mitigation strategies’ and are commonly considered to be the baseline of required security principles. These principles are essential to protecting a system, and together they provide great coverage from hacker intrusion, propagation through the system and data exfiltration.
The Essential 8 are:
1. Application Control (Formerly Application Whitelisting)
2. Patch Applications
3. Configure Microsoft Office Macros
4. User Application Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems
7. Multi-Factor Authentication
8. Regular Backups
The next set of principles to protect your IoT solution are guidelines relating to access and authentication.
1. Change default usernames and passwords
2. Use unique passwords/keys for each device
3. Cycle all passwords/keys periodically
4. Log and monitor access attempts
And finally, some device and network best practices
1. Use network segregation
2. Utilise device provisioning services with custom secured images
3. Disable unnecessary communication means and directions
Network segregation is not only a great normal practice to adopt, but can be a saving grace mitigation technique when you have a dependency on particular device that may have vulnerabilities yet to be patched. Imagine you’re developing an IIoT solution to monitor water quality of a dam 300km away from the closest town, and the only mature offering on the market has a vulnerability not yet patched. By putting that sensor ecosystem on their own network (and assuming you have ASD essential 8) any breaches only result in the attacker getting a bunch of water metric packets and they cant propagate into more secure servers or systems preventing scenarios such as the casino hack.
The next step is using device provisioning with custom default images that have been secured, Think of that same water sensor, a hacker has managed to exploit the publicised vulnerability and your machine logs are showing anomalous activities, you can use your device provisioning service to flash the device back to its standard image, it will clean off any malware (because they were unable to gain privileged execution rights thanks to ASD Essential 8 and thus by doing a wipe can give you a clean slate and put them back to square one, while it gives you the opportunity to take additional actions
And finally, disable unnecessary communication means and directions, if there is no reason for your devices to talk to each other, explicitly disable the ability to do so, close off ports that have no value being open, disable communication over protocols you have no need for and enforce authentication for connections.
Conclusion
In this article I have given a background into some productive uses of IoT, the market size in Australia, DDoS attacks and how the Internet of Things can bring huge destructive power. Did this article go the direction you were expecting? or did i miss anything, let me know in the comments!
I humbly request if you liked the content, it was informative or thought provoking, please do follow me as both a mechanism of receiving new work I put out, but also to support my efforts on this blogging journey I’m making.
A medium membership is one of the best uses of 5$ a month you could think of. You can join here
Thank you and best regards,
Josh
